The present invention relates to computer security, and more particularly, to an apparatus and method for providing secure access to a wide-area network.
Advances in computer and communications technology have increased the free flow of information within networked computer systems. While a boon to many, such a free flow of information can be disastrous to those systems which process sensitive or classified information. In a typical networked computer system, one or more workstations are connected over a network to a host computer or server. These workstations may range from low-cost personal computers to powerful UNIX processors. In such a system the workstations, servers and even the connecting networks may all be at great risk of a security breach.
In developing a strategy for reducing the potential and consequences of a security breach (i.e. a computer security policy), one must assume that competent and dedicated individuals will mount active attacks on the computer system""s security mechanisms. These individuals are called the threat. The threat seeks to find vulnerabilities which can be exploited to cause a part of the computing system to operate in violation of its owner""s security policy. Threats fall into two broad classes: Insiders and Outsiders.
Insiders are those individuals who have been granted some level of legitimate privilege and then abuse that privilege. An example of an insider in the noncomputer world is a bookkeeper who uses his or her legitimate access to account records to embezzle. An example in the computer world is a systems administrator who uses his or her legitimate access to a computer system to generate fraudulent billings, payable to a corporation owned by the administrator. Concern for insider actions also extends to individuals who, through ignorance, incompetence or improper direction, cause security policy to be violated intentionally.
Outsiders are those individuals who have no legitimate privilege on the system but who can exploit vulnerabilities to gain access to it. An example of an outsider in the noncomputer world is a burglar, who exploits weaknesses in locks and alarms to steal from a safe or lockbox. An example of an outsider in the network world is the xe2x80x9chackerxe2x80x9d who takes control of a networked computer away from its legitimate owners.
The risk of security breach is compounded when a pathway is provided from the internal, private network to an external wide-area network such as the Internet. The Internet is a loose conglomeration of networks connected by a standard network protocol. The lure of access to the Internet is the vast amounts of information that can be accessed by the user; the danger is that there are little or no controls on what individuals have access to and what they may do with that access. Therefore, access to the Internet can provide an open door for exploitation of your own network by a variety of threats.
In effect, a wide-area network such as the Internet serves as a threat multiplier. Networks such as the Internet have evolved as fora for the free exchange of ideas. This fact can be exploited by threats seeking to access or subvert a private network. For instance, the global connectivity of such a network means that data taken from a private network can be moved around the world very quickly. To compound this problem, the Internet contains a number of very large data archives which can be used to store data transferred or posted from private networks. Hackers have also used the global connectivity of wide-area networks such as the Internet to directly manipulate computer facilities on the internal network (by such mechanisms as trying unlikely combinations of requests or commands) or to inject malicious software into the machine. Malicious software, which is able to do the threat""s bidding remotely and without direct control, can be injected manually or by such technical mechanisms as xe2x80x9cvirusesxe2x80x9d or xe2x80x9cworms.xe2x80x9d (One such self-replicating piece of malicious software was responsible for a well publicized attack on computers connected to the Internet a few years ago.)
Internet protocols that have been developed to-date were not designed for security. For instance, Usenet news can be used by ignorant or disgruntled employees to post company proprietary information in publicly accessible space. In some cases, this posting can be done anonymously (e.g. by using an anonymous file transfer mode or by posting the data to an anonymous server). In addition, the proprietary nature of data may be obscured by encrypting the data via one of a number of free, easily accessible cryptographic packages.
In addition, since the standard Unix password is reusable, it is subject to capture and abuse by outsider threats. For instance, the use of reusable passwords means that each password is vulnerable to being xe2x80x9csniffed outxe2x80x9d and captured. Once captured the password can be used by an inside or an outside threat to gain access to a site. In addition, if the password belongs to someone with administrative privilege, the threat can use the captured password to gain administrative privileges on the internal network. The threat can then use that privilege to install a permanent xe2x80x9ctrapdoorxe2x80x9d in order to ensure future access.
This combination of features makes the Internet particularly vulnerable to attack. A potential buyer of stolen information can anonymously post a solicitation along with his public key; potential sellers can then encipher the information desired with that public key and post it, secure in the knowledge that only the solicitor will be able to decipher it.
The existence of an active threat places requirements on a private network which are significantly different from the superficially similar problem of providing reliable service. A reliability engineer can take advantage of the low probability of certain phenomenon, and choose not to respond to them because they are so unlikely. A security engineer cannot do this; a vulnerability, however obscure and unlikely, will be actively sought out by the threat, publicized to persons of like mind, and exploited over and over once discovered. Countermeasures must therefore be developed which effectively close, or prevent the exploitation of, each system vulnerability.
A number of countermeasures have been proposed to reduce the vulnerability of networked systems. These countermeasures share three characteristics:
1) It takes a secret to keep a secret. All information security mechanisms are based on the use of secrets which are shared by authorized individuals an kept from unauthorized ones. The secrets may be transformed, compressed or hidden inside protected hardware, but in every security architecture there is one set of values, which, if known, would lead to the compromise of the whole system.
2) Vulnerabilities always exist. It is no more possible to achieve perfect security than it is to achieve perfect reliability; in fact, it is much less possible because you must assume that the threat is actively working to discover the system vulnerabilities.
3) Threats escalate continuously. Installation of a given set of countermeasures does not eliminate the threat; it simple spurs it on to greater efforts to find ways of circumventing them.
These three common factors then pose the following problems for the countermeasures engineer:
1) Protecting the secrets that keep the secrets. This is highest priority requirement, for loss of these values would lead to catastrophic breaches of security.
2) Making vulnerabilities hard to find. The embodiment of the security mechanisms must be such that it is difficult for the threat to obtain details of their operation, or instances of them on which experiments may be performed.
The countermeasures proposed to date have focussed on either preventing the transfer of data or on encrypting the data using known cryptographic methods in order to render it more difficult to compromise.
One method proposed for the prevention of unauthorized exploitation of the private network by inside or outside threats is an Internet xe2x80x9cfirewallxe2x80x9d. xe2x80x9cFirewallsxe2x80x9d implement a security policy based on the routing information contained in individual packets transferred to and from the wide-area network. They look only at the headers of the packets and then make decisions based on where the packet is going and where it came from. Typically, xe2x80x9cfirewallsxe2x80x9d direct packets to a dedicated application machine which has a limited configuration of software. This application machine is then connected to a second router that limits its access to a specific set of internal systems.
A typical Internet xe2x80x9cfirewallxe2x80x9d system is 10 shown in FIG. 1. In FIG. 1, system includes a router 12 connected over an internal network 14 to workstations 16 and 18. Router 12 is also connected to a wide-area network 20 such as the Internet. Router 12 runs Internet xe2x80x9cfirewallxe2x80x9d software intended to inspect packet based traffic and remove or reroute packets meeting a predefined criteria.
xe2x80x9cFirewallsxe2x80x9d are header sensitive, not content sensitive. Therefore they are subject to various forms of attack. For instance, a hacker 22 may construct a packet having a header which looks like a header passed by the firewall. Such a packet will slip unnoticed past router 10 and onto one or more workstations 16, 18. In addition, a threat 24 may be able to access sensitive data on network 14 through the file transfer protocol (xe2x80x9cFTPxe2x80x9d). As noted above, a buyer 26 of stolen data may use Usenet news to solicit transfer of proprietary data from venal or disgruntled employees. Finally, a threat 28 may work in conjunction with a subverted employee 30 to transfer proprietary information via encrypted electronic mail or anonymous FTP.
Therefore, the Internet firewall approach has the following disadvantages:
1) This approach is vulnerable to attacks which construct fake header information (such as that by hacker 22 above). The theory of such attacks is well known; it is only a matter of time before turnkey scripts for mounting them become globally available on the Internet.
2) A xe2x80x9cfirewallxe2x80x9d is an xe2x80x9call-or-nothingxe2x80x9d approach to security. If an attacker gets through the xe2x80x9cFirewallxe2x80x9d, then the internal network on the other side lies naked and unprotected against effectively undetectable trojan horse attacks.
3) xe2x80x9cFirewallsxe2x80x9d can be difficult to configure correctly and even more difficult to keep secure because they have to be reconfigured as you modify your internal network.
4) xe2x80x9cFirewallsxe2x80x9d cannot make security decisions based on data content, because they only see the data after it has been cut into packets and rearranged in the course of transmission.
5) xe2x80x9cFirewallsxe2x80x9d limit, in arbitrary and irrational ways, the user""s ability to interact with the Internet.
6) xe2x80x9cFirewallsxe2x80x9d require special xe2x80x9cproxyxe2x80x9d software for many Internet services. This means that there is a slow and costly development step required to xe2x80x9csecurexe2x80x9d a new service using the xe2x80x9cFirewallxe2x80x9d technique.
7) xe2x80x9cFirewallsxe2x80x9d require extra hardware and network connections, which increases cost and administrative overhead.
The cryptographic countermeasures proposed to date have focussed on encrypting the data using known cryptographic methods in order to render it more difficult to compromise. Cryptography operates by performing mathematical transforms on data so that it is rendered unintelligible to an outside observer. In order for the data to be retrieved, the transform is based on a second set of values called keying material. It is the keying material that is, in this case, the secret that keeps the secrets. Since both the writer and the authorized reader of the data must have equivalent keying material, the central problem in cryptography is key management: the safe and reliable delivery of equivalent keying material to both ends of the writer-reader axis.
Cryptographic transforms use mathematical algorithms of great complexity and sophistication. In order to provide real-world security it is also necessary, however, that the embodiment or implementation of the algorithm be not only correct but also free of vulnerabilities or side effects which can be exploited by the threat.
One commonly used class of cryptographic algorithms is called secret-key or symmetric. Such algorithms are called symmetric because the same element or value of keying material is used both to encipher (scramble) and to decipher (unscramble). They are called secret-key because that keying material must be kept secret at both the writer and the reader ends of a communication. Secret-key systems require a some degree of prearrangement between the writer and the reader, so that the identical values of keying material are in place in advance of communication. As such, secret-key cryptography is most suited for communication amongst a closed community, where membership in the community is known a priori. Simple changes in key distribution patterns can be used to add or delete individuals from the community. Another class of cryptographic algorithms is called public-key or asymmetric. Such algorithms are called asymmetric because two mathematically related elements of keying material are required: a public key, which is used to encipher but which cannot be used to decipher (unscramble), and a private key, which is the only value that can decipher. The corresponding private key, which is the secret that keeps the secret, is closely held. The public key, since it cannot be used to decipher, can be widely disseminated. By this means a secret message can be sent without explicit prearrangement: the writer obtains the reader""s public key from some service akin to a telephone directory, enciphers the message, and sends it with the knowledge that only the reader holds the private key that can decipher it.
A form of public-key algorithm can also be used to authenticate, or sign, data. In this operation the private key is used to compute a value which is mathematically related to the data, called a digital signature. The private key is used so that only the holder of that private key can establish the distinctive value of the signature. The mathematics of the operation are such that the corresponding public can be used to determine the validity of the signature. Thus only one person can sign, but any individual with access to the public key service can check the signature.
Public-key cryptography is most suited for communication within an open community, where it is desired to have secret and/or authenticated communication without prior arrangement. Adding individuals to the community is relatively simple, but deleting individuals is difficult.
Cryptography has the following uses in information security:
1) Protection of communications links where the transmissions can be easily intercepted.
2) Protection of electronic mail where the messages may be forwarded through sites not under the control of the writer or the authorized reader of the message.
3) Protection of data stored on removable media or media which is exposed to the possibility of physical theft.
4) Authentication, where the knowledge of a shared secret is used to verify the identity of an individual or a machine.
The most sophisticated approaches to protecting data transferred over the unsecured Internet network are through the application of Global Cryptography at the Client workstation, so that data is enciphered at the source and deciphered at its destination. The principal application of this approach is to electronic mail. Global Cryptography can be implemented in software, as in the Privacy Enhanced Mail system, or in personal tokens which combine the cryptographic mechanisms with an individual""s certificate, as in the MOSAIC program.
A less sophisticated approach is to apply the cryptography only on the wide-area network. Historically, there have been two ways to do this, called Link Encryption and End-to-End Encryption.
In the Link Encryption approach, all bits coming out of a network node and onto the network are enciphered. This requires that the destination node have an identical cryptographic device and compatible keying material with the source. The disadvantage of link encryption is that all bits are encrypted, including those used to route packets over a packet-switched network. This effectively prevents a packet-switched network from working.
To permit the use of cryptography over packet-switched networks, the technique of End-to-End Encryption was devised. In this technique, only the packet contents are encrypted, and the critical routing information is left as plaintext. The xe2x80x9cendsxe2x80x9d in End-to-End encryption are typically multi-user servers and not individual workstations, so that the problem of getting compatible keying material at each end is reduced to manageable proportions.
Neither data encryption nor the use of Internet xe2x80x9cfirewallsxe2x80x9d address the array of vulnerabilities inherent to connection of an internal, private network to an external, wide-area network such as the Internet. What is needed is a comprehensive and integrated security policy and apparatus for preventing exploitation of private network resources by both internal and external threats.
The present invention provides a secure wide-area access system comprising a secure computer, an internal network and a workstation connected across the internal network to the secure computer. The secure computer comprises an internal network interface, a public network interface, public network program code used to communicate through the public network interface to a public network, private network program code used to communicate through the internal network interface to the workstation and security policy program code for enforcing a Type Enforcement security mechanism to restrict access of a process to data.
According to another aspect of the present invention, a method of protecting a computer system connected to an unsecured external network is described. The method comprises the steps of providing a secure computer, wherein the secure computer comprises security policy program code for enforcing a Type Enforcement security mechanism to restrict access of a process to data, connecting the Type Enforcement based secure computer to the private network and establishing an assured pipeline for the transfer of data and programs between the private network and the external network through the secure computer. The step of establishing an assured pipeline includes the steps of placing processes within domains, wherein the step of placing processes within domains includes the step of assigning processes received from the external network to an external domain, assigning types to files and restricting access by processes within the external domain to certain file types.
According to yet another aspect of the present invention, a secure server is described for use in controlling access to data stored within an internal network. The secure server comprises an administrative kernel and an operational kernel, wherein the operational kernel includes security policy program code for enforcing a Type Enforcement security mechanism to restrict access of a process received from the external network to data stored on the internal network and wherein the administrative kernel is restricted to execution only while isolated from the internal network.
According to yet another aspect of the present invention, the secure server comprises a processor, an internal network interface, connected to the processor, for communicating on an internal network and an external network interface, connected to the processor, for communicating on an external network. The processor includes server program code for transferring data between the internal and external network interfaces and security policy program code for enforcing a Type Enforcement security mechanism to restrict access of a process received from the external network to data stored on the internal network.
According to yet another aspect of the present invention, a system and method are described for the secure transfer of data between a workstation connected to a private network and a remote computer connected to an unsecured network. A secure computer is inserted into the private network to serve as the gateway to the unsecured network and a client subsystem is added to the workstation in order to control the transfer of data from the workstation to the secure computer. The secure computer includes a private network interface connected to the private network, an unsecured network interface connected to the unsecured network, wherein the unsecured network interface includes means for encrypting data to be transferred from the first workstation to the remote computer and a server function for transferring data between the private network interface and the unsecured network interface.
According to yet another aspect of the present invention, a system is described for secure internetwork communication across an unsecured network. First and second secure computers are connected to first and second private networks, respectively, and to each other across the unsecured network. The first and second secure computers include a private network interface and an unsecured network interface for secure transfer of data from the first secure computer to the second secure computer over the unsecured network. The unsecured network interface includes means for encrypting data to be transferred from the first secure computer to the second secure computer. A client subsystem is added to workstations connected to each private network in order to control the transfer of data from the workstation to the respective secure computer.